Blocked networks by DNS Firewall

Posts: 141
3737     0


This search shows which networks were blocked by DNS Firewall and a description why it was blocked.

It helps to identify false positives. E.g. on the attached screenshot you can see a lot of networks (/10-/16) were blocked on cnc-driveby feed. It looks suspitious. 


Actually it is not a report/dashboard but provides table view and it is very simple to convert it to a report/dashboard.

And also it shows how easily you can dig/mine/analyse data in Splunk.


index=ib_dns_summary source="si-search-dns-rpz-hits" | rex field=RPZ_QNAME "^(?<CIDR>[1-9]|1[0-9]|2[0-9])\.(?<ip4>\d+)\.(?<ip3>\d+\.)(?<ip2>\d+\.)(?<ip1>\d+\.)[^\.]+\.(?<feed>.*)" | search CIDR>0  | eval NET=ip1.ip2.ip3.ip4."/".CIDR  | table  feed,RPZ_QNAME, NET, CIDR, TOTAL_COUNT  | stats  sum(TOTAL_COUNT) as Hits by feed,RPZ_QNAME, NET, CIDR| sort  CIDR, -TOTAL_COUNT | addthreatstopdetails rpzorip RPZ_QNAME | table feed,RPZ_QNAME, NET, CIDR, Hits, short_description, public_description




The report shows if networks/IPs registered in IPAM are blacklisted

Posts: 141
3738     0

The report checks if customer's networks (registered in IPAM) are blacklisted in ThreatStop feeds

  <label>IPAM check blacklisting</label>
          <query>index=ib_ipam sourcetype="ib:ipam:network" | dedup NETWORK | rex field=address "^(?&lt;ip1&gt;\d+\.)(?&lt;ip2&gt;\d+\.)(?&lt;ip3&gt;\d+\.)(?&lt;ip4&gt;\d+)$" | eval REQ=cidr.".".ip4.".".ip3.ip2.ip1."rpz-ip.cnc.rpz.infoblox.local" | addthreatstopdetails rpzorip REQ | search short_description !="UNKNOWN"  | table NETWORK, short_description , public_description</query>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
Showing results for 
Search instead for 
Did you mean: 

Recommended for You